‘Cloud’ computing offers an alternative way to traditional methods of increasing capacity or adding capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software. ‘Cloud’ computing encompasses any subscription-based or pay-per-use service that extends IT’s existing capabilities in real time, using the Internet as the delivery mechanism.
A Symantec Connect DocumentWhy should CFO s care about cloud -based servicesCFO s are constantly challenged with improving organisa-tional economies and effectiveness. In times of austerity, CFO s need to make sense of whether cloud based services offer a silver lining. SYMANTEC PROPRIETARY/CONFIDENTIAL INTERNAL & CUSTOMERS UNDER NDA USE ONLYThis document contains confidential and privileged information. It is intended for use by SymantecCustomers to help evaluate Symantec solutions provided such Customers have signed an agreementwith the appropriate confidentiality provisions.Untitled DocumentUntitled DocumentWhy should CFO s care about cloud -based servicesWhite Paper: Why should CFO s care about cloud -based servicesContentsBackground . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1De-mystifying the Cloud jargon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1A cloud is a cloud? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3Why the CFO should care Key considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3So now what where do you start? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5Untitled Document1BackgroundSo saying the last 10 years has been interesting for the CFO is a bit of an understatement. If you have been in Finance that long; you have survived the introduction and felt the impact of the Euro, Y2K, IFRS and the global effects of Sarbannes-Oxley. Not to mention two stock market crashes, global warming and sustainability pressures, the ageing workforce and the ongoing technological revolution. Against that background, your role may have changed somewhat and the traditional fnancial controller tasks are pretty much a given. Of course, they are still fundamental for the business but it is likely that you play a more strategic role in advising the CEO and senior leadership team in managing the business.Phew! After all of that, you could be forgiven then in making the assumption that you can really leave all decisions relating to the latest technology trends around cloud based computing and services purely to the IT department. Surely, they can handle decisions to do with system set-ups and server locations? The facts are that over this period of time you have been primarily concerned with financial strategy and risk mitigation - Cloud based services also need to be considered from a similar perspective. De-mystifying the Cloud jargon Cloud computing offers an alternative way to traditional methods of increasing capacity or adding capabilities on the fly without investing in new infrastructure, training new personnel, or licensing new software. Cloud computing encompasses any subscription-based or pay-per-use service that extends IT s existing capabilities in real time, using the Internet as the delivery mechanism.The cloud analogy is easy to recognise as a depiction for the Internet, however, going to the next level of cloud computing can be as fluffy as the cloud diagram itself. The issue of course is that this is a rapidly expanding and evolving area of technology, with many suppliers defining what cloud is from their own perspectives. Essentially , cloud computing is Internet-based computing, whereby shared resources, software, and information are provided to consumers in an on-demand nature. Maturity of these technologies has led to widespread adoption. As such these details are abstracted from consumers, removing much of the need for expertise in the technology infrastructure supporting the organisation. They simply take advantage of web-based tools or applications that users can access and use through a web browser as if it were a program installed locally on their own computer.Currently the majority of services are point based applications offering a specific solution that fall into one of the following three categories although aggregators and integrators are emerging. Distributed Workforce Management in the CloudUntitled Document2 Why should CFO s care about cloud -based servicesTypeDefinitionType of Services offeredExamplesSaaSSoftware as a Service typically deliv-ers software applications as services (SaaS) through the browser to thou-sands of customers using a scalable multi-tenant architectureBusiness AppsOffice productivity CollaborationSecuritySalesforce.comWebex (Cisco)Symantec.Cloud IaaSInfrastructure as a service - delivers computer infrastructure - storage and virtual servers that IT can access on demand. clients buy those resources as a fully outsourced service rather than purchasing them in-house. ComputingStorageAmazon web ser-vicesVerizon CaaSPaaSPlatform as a service - relates to the offering of a development and deploy-ment environment as opposed to a packaged application. Indtended for use by a company looking to develop a custom application.Development application components and environ-mentMicrosoft AzureGoogle AppsAll of the above share similar attributes that can be particularly appealing to the typical growing mid-sized organisation." Cost is claimed to be greatly reduced and capital expenditure is converted to operational expenditure. This lowers barriers to entry, as infrastructure is typically provided by a third-party and does not need to be purchased for one-time or infrequent intensive computing tasks. " Mobility is enabled with users accessing systems using a web browser regardless of their location or what device they are using (e.g., PC, mobile). As infrastructure is off-site (typically provided by a third-party) and accessed via the Internet, servces can be provided to any location." Maintenance of cloud computing applications is easier, provision from a central point means they are easier to support and to improve since the changes reach the clients instantly." Availability is enhanced, which makes cloud computing suitable for business continuity and disaster recovery. Nonetheless, many major cloud services have suffered outages. IT and business managers can at times do little when they are affected so Service Levels are critical to any provision agreement." Scalability and agility improves with users able to quickly meet demands without needing to deploy or have expensive technological infrastructure resources in place." Security against threats is typically much stronger as it doesn t impact the physical organisation, applications are virtualised and therefore minimise the threat to the local infrastructure.Untitled DocumentA cloud is a cloud?So if this is all provided over the internet then you could be forgiven for assuming that it all has the same level of privacy and security. However, if you talk to suppliers then they would probably describe as many cloud types as there are physical ones in the sky. There are different deployment types which fall into the following categories.Cloud TypeDefinitionConsiderationsPublic /External" Web applications / web services typi-cally offered in this way" Off-premise" Third party ownership" Utility pricing" High Scalability" No up-front costsCompanies may be limited by set control and flexibilityMinimal customisation and maturity of applications may be a concernCustomers with sensitive data may be deterred by shared data environmentsPrivate" Deployed inside the organisation" Owned and managed by or on behalf of the user company" CapEx requirement" Virtualised resources" Management automationSignificant investment requiredHands-on management requiredA variant of this maybe where its used across linked organisations and so the cost is shared and resembles a public cloud but with greater security and privacy, perhaps, for government organisationsHybrid" Combination of above " Multiple providers" Enables transitional approach" Reality during transitionAs companies transition to cloud there is likely to be a mix of infrastructure with cloud hosting and physical servers. Companies need to consider fexibility of pan environment solu-tions for areas such as security and data managementWhy the CFO should care Key considerations1. Finance - CAPEX vs OPEXGenerally, cloud computing customers do not own the physical infrastructure, instead avoiding capital expenditure by renting usage from a third-party provider. They consume resources as a service and pay only for resources that they use. So it becomes an operational expense where the applications are typically billed for based on either a usage basis (An example maybe an expense management system where there is a charge per expense report processed) or on a subscription basis (time/user-based) with minimal upfront costs. Other benefits of this approach are low barriers to entry, shared infrastructure and costs, low management overhead, and immediate access to a broad range of applications. This gives the company greater flexibility to choose when and how they begin a project and choose when to expand or even terminate a contract at any time (thereby avoiding difficult investment decisions for hardware, infrastructure and having unnecessary shelfware), and the services provided should always be covered by service level agreements (SLAs) with financial penalties if the provider does not meet availability and performance criteria. Why should CFO s care about cloud -based services3Untitled DocumentOrganisations should beware of the three key elements:" Cloud financial tipping point there will inevibatly come a point where an on-premise service is fully paid up, whereas charge for cloud services are ongoing" Real costs of on-premise many costs can be overlooked when assessing an implementation project. For example, maintenance costs run at between 15-25% per year, upgrades must be resourced both in terms of staffing and addi-tional infrastructure requirements, plus when was the last time a project ran to schedule?" Time to go-live crucially cloud services can often be delivered in less than a week, whereas an on-premise project can take months or even years. What gaps does this leave within your organisation and how important are they?Beyond the technical evaluation itself, you should also consider the human investment, there is, of course, potentially huge productivity gains to roll out a collaborative word processing service to the organisation in addition to savings on internal resource but as a straqtegic investment service maturity should be assessed to ensure wasted resource is minimised. It may make more sense to start in areas such as storage, infrastructure and security that would have minimal impact on the end user community. So any major project should go through the normal evaluation of whether there is an appropriate return on investment. In fact, perhaps a better alternative would be to perform a net present value (NPV) analysis. Both options can contain hidden costs and risks (e.g. ongoing maintenance and upgrade costs for on-premise ) and the opportunity costs/cost of finance may significantly impact the results.2. Risk - More than just moneyWe already mentioned that the CFO role had changed to much more than doing the books. In fact, arguably the CFO has got a new role as the Chief Risk Officer. With the turbulent economic climate and increasing penalties imposed on companies, the CFO has to be the board member who says hang on a minute and add an alternative perspective to corporate decisions. In this regard, the business risk as well as the basic economics need to be considered for any project initiative. You should ensure that the standard checks are performed related to the viability of providers as a long term partner and remember, data and contintuity are critical so ensure their infrastructure is robust from a Disaster Recovery perspective? Depending on your industry you will be challenged by a variety of compliance requirements. Nothing new here but customers are ultimately responsible for the security and integrity of their own data, even when it is held by a service provider. Traditional service providers are subjected to external audits and security certifications. Cloud computing providers who dismiss this scrutiny or cannot provide appropriate evidence should be avoided unless used for non critcal requirements. Cloud computing provides the opportunity to utilise multiple global suppliers. However, customers in the EU, for instance, contracting with cloud Providers established outside the EU/EEA have to ensure that these providers are familiar with and adhere to the EU regulations on export of personal data. A company in Europe perhaps with a U.S. parent would need to ensure that the provider s solution can allow them to gain compliance with regulations including FISMA, HIPAA and SOX in the United States. As another example many suppliers imply that cloud based services have reached a utilitytype maturity whereby all services carry the same risks and assurances. This is clearly not the case and so it is crucial that any solution chosen by your organisation is appropriate in terms of risk assurance.3. Security - How secure is this fluffy white stuff?Security isalways a key consideration and as such, the relative security of cloud computing services is a traditionally contentious issue. Some argue that customer data is more secure when managed internally, while others argue that cloud providers have a strong incentive to maintain trust and as such employ a higher level of security. Some Cloud suppliers, do carry security and privacy concerns. Why should CFO s care about cloud -based services4Untitled Document Why should CFO s care about cloud -based services5Data in the cloud is typically in a shared environment alongside data from other customers. You need to gain evidence that data is appropriately secured and that this a fundamental aspect of the design and doesn t carry additional cost or negatively impact the use of the solution. Suppliers understanding of inappropriate or illegal activity also needs to be addressed and provided. Customers must demand transparency, avoiding suppliers that refuse to provide detailed targets on all service elements and their performance against those targets. It s important to note that the business risk extends beyond a specific application being provided over the cloud . The increase in use of cloud based services, such as salesforce.com means that many mobile IT users will be accessing business data and services without necessarily accessing the corporate network itself. This will increase the need for companies to place security controls between mobile users and cloud based services.Traditional security requirements can protect in-house application and data environments, this must be complemented by cloud enabled security services that need to enforce that all remote connectionsfollow the same level of protection. Many organisations also utilise social media applications such as Twitter, Facebook, Linked-in etc. in addition to the more formal cloud applications. This starts to blur the boundaries between corporate and personal data. Its more than just data however, security can be undermined simply by perhaps a senior exec. bringing in their own iPad and expecting it to work on the corporate network.So do businesses face a difficult choice? Can they achieve good security and higher productivity, efficiency and convenience or is it a balancing act?Interestingly cloud computing itself enables security controls and functions to be delivered in new ways and by new types of service providers. It also enables companies to use security technologies and techniques that perhaps previously have not been cost-effective. Organisations can struggle to justify the expense of security controls or functions that are needed to respond to unanticipated or infrequent events. Cloud computing, however, can make these types of services available at short notice, while streamlining provision at a scale appropriate to address the threat.So now what where do you start?Cloud-based services certainly can be very attractive to an organisation. The likelihood is that your company or certainly some of the staff are already taking advantage to some degree. However, as you assess the economics and risk associated with these services, perhaps one of the first to invest in is cloud based security services that can fully integrate with your existing environment. As well as providing the building blocks for any IT enhancement program, their back-office nature means that they can be implemented quickly with minimal impact on end users. Like any cloud based application the security provider must offer the service levels that you require both today and as your business grows. The common hybrid deployment of the cloud means that a security provider that can almost cover your whole organisation like a flexible bubble that transitions as your company transitions makes the most sense. Security really is fundamental to every other cloud -based solution that you consider.Untitled DocumentMore Information Why should CFO s care about cloud -based services6Untitled DocumentUntitled DocumentAbout Symantec.cloudMore than 31,000 organisations ranging from smallbusinesses to the Fortune 500 across 100 countriesuse Symantec.cloud s MessageLabs services toadminister, monitor and protect their informationresources more effectively. Organisations canchoose from 14 pre-integrated applications to helpsecure and manage their business even as newtechnologies and devices are introduced andtraditional boundaries of the workplace disappear.Services are delivered on a highly scalable, reliableand energy-efficient global infrastructure built on14 data centers around the globe. A division withinSymantec Corporation, Symantec.cloud offerscustomers the ability to work more productively in aconnected world.For specific country officesand contact numbers, pleasevisit our website:www.symanteccloud.comWorld HeadquartersMessageLabs1270 Lansdowne CourtGloucester Business ParkGloucester, GL3 4ABUnited Kingdom+44 (0) 1452 627 627Copyright 2011 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 2/2011 21167338